Security
Highlighted

Why can't an authorized user login via LDAP?

Explorer

I have successfully configured LDAP to my organization's Active Directory and have several strategies configured; we have a massive disorganized domain, so I need to create multiple strategies to keep the returned results within the search time/size limits.

I have one strategy that works just fine for the OU that it points to. However all other strategies (each pointing to different OUs) fail when users attempt to login with the following errors:


AuthenticationManagerLDAP - Could not find user="somebody01" with strategy="Strategy 1"
AuthenticationManagerLDAP - Could not find user="somebody01" with strategy="Strategy 2"
AuthenticationManagerLDAP - Could not find user="somebody01" with strategy="Strategy 3"
AuthenticationManagerLDAP - Could not find user="somebody01" with strategy="Strategy 4"
AuthenticationManagerLDAP - Could not find user="somebody01" with strategy="Strategy 5"

The user "sombody01" is discoverable via "Strategy 2" and in fact, enumerates when I browse to Settings > Access controls > Authentication method > LDAP strategies > (Strategy 2) Map groups > "theRelevantGroup-GG"

I have tested using Domain Local vs. Domain Global Groups, rearranged the connection order (no connection errors so this was a shot in the dark), and adjusted my DN strings (however I am confident these are all correct [i.e. no errors upon Strategy save and as indicated above, user enumeration in web gui group mapping]), and the results are the same.

I have searched for days and cannot find a comparable post, but please link if my Google/Duckduckgo/Splunk Answers fu was not good enough.

Cheers.

0 Karma
Highlighted

Re: Why can't an authorized user login via LDAP?

Explorer

Hi folks. I solved my problem.

My issue had to do with a misconfigured User Base DN. I was wrong in assuming that the users (Accounts) were stored in the same OU as their team's groups, when in fact the Accounts were one or two parent OUs above their respective team.

This was simply an oddity of how my organization organizes accounts, OUs, groups, etc. in Active Directory.

Happy Splunking!

View solution in original post

0 Karma
Highlighted

Re: Why can't an authorized user login via LDAP?

SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why can't an authorized user login via LDAP?

Explorer

Thanks, I was waiting for mod approval.